Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for analyzing security alerts, comprising: generating an enterprise graph based on information associated with an enterprise, wherein the enterprise graph identifies relationships between computers of the enterprise, wherein the relationships are based on an architecture and function performed in the enterprise; receiving a first security alert produced by a first security component associated with a first computer of the enterprise; receiving a second security alert produced by a second security component associated with a second computer of the enterprise; based on the enterprise graph, determining a strength of a relationship between the first computer and the second computer, wherein the strength of the relationship is based on what type of machine the first computer is, what type of machine the second computer is and where the first computer is located in the enterprise, and where the second computer is located in the enterprise; identifying a significant relationship between the first and second security alerts; identifying a potential security incident based on the significant relationship between the first and second security alerts and based on the strength of the relationship between the first computer and the second computer; ranking the first security alert, the second security alert, and a third security alert, wherein the third security alert is not associated with a potential security incident; prioritizing the first security alert and the second security alert over the third security alert based on the association of the first security alert and the second security alert with the potential security incident; presenting the first and second security alerts of the potential security incident as a chain of events, wherein the first security alert and the second security alert form the chain of events, which is compared to a criteria of attack to determine the security incident, and wherein the relationship helps define the chain of events; and concluding that the potential incident is an actual attack.
This invention relates to cybersecurity, specifically to analyzing security alerts within an enterprise network to detect and prioritize potential security incidents. The system generates an enterprise graph that maps relationships between computers based on their architecture, function, and location within the enterprise. This graph helps assess the strength of connections between devices, considering factors like machine type and network positioning. When security alerts are received from different computers, the system evaluates their significance by analyzing the relationship between the affected devices using the enterprise graph. If a strong relationship exists, the alerts are linked as part of a potential security incident. The system then ranks alerts, prioritizing those associated with a potential incident over unrelated alerts. The linked alerts are presented as a chain of events, which is compared to known attack patterns to confirm whether the incident is an actual attack. This approach improves threat detection by correlating alerts based on enterprise context, reducing false positives, and prioritizing high-risk incidents.
2. The method of claim 1 further comprising examining the first and second security alerts associated with the potential security incident to identify a known part of an attack.
This invention relates to cybersecurity systems that analyze security alerts to detect and respond to potential security incidents. The problem addressed is the difficulty in identifying coordinated attacks from multiple security alerts, which often lack context or correlation, leading to missed threats or false positives. The method involves receiving security alerts from multiple sources, such as intrusion detection systems, firewalls, or endpoint protection tools. These alerts are analyzed to determine if they are associated with the same potential security incident. If a connection is found, the alerts are grouped together for further examination. The method then examines the grouped alerts to identify patterns or indicators that match known attack techniques, tactics, or procedures (TTPs). This helps security analysts quickly recognize whether the incident resembles a previously documented attack, improving threat detection accuracy and response efficiency. The system may also prioritize incidents based on severity, likelihood of impact, or alignment with known attack patterns. By correlating alerts and comparing them against known attack signatures, the method reduces false positives and enhances the ability to detect sophisticated, multi-stage cyber threats. This approach streamlines incident response by providing actionable insights derived from aggregated security data.
3. The method of claim 2 wherein examining the first and second security alerts associated with the potential security incident to identify the known part of the attack comprises: comparing a chain of events with a criteria for the attack.
Security systems monitor networks for potential threats, generating multiple alerts that may indicate an attack. However, these alerts are often isolated and lack context, making it difficult to determine whether they are part of a coordinated attack or unrelated incidents. This invention addresses the challenge of correlating security alerts to identify known attack patterns within a larger security incident. The method involves analyzing two or more security alerts associated with a potential security incident to determine if they match a known attack. Specifically, the method examines the sequence of events recorded in the alerts and compares this chain of events against predefined criteria for the attack. The criteria may include specific event patterns, timing, or relationships between events that are characteristic of the attack. By matching the observed chain of events to these criteria, the system can identify whether the alerts are part of a known attack or represent unrelated security issues. This approach improves threat detection by providing context and reducing false positives, allowing security teams to focus on genuine threats. The method can be applied in various security monitoring systems, including intrusion detection, endpoint protection, and network security tools.
4. The method of claim 1 further comprising generating a priority list of security incidents.
A system and method for managing security incidents in a networked environment involves detecting and analyzing security threats to prioritize and respond to incidents efficiently. The method includes monitoring network activity to identify potential security incidents, such as unauthorized access attempts, malware infections, or data breaches. Once detected, the incidents are analyzed to determine their severity, impact, and potential risk to the system. This analysis may involve assessing factors like the type of threat, affected systems, and potential damage. Based on this analysis, a priority list of security incidents is generated, ranking them according to their criticality. Higher-priority incidents are flagged for immediate attention, while lower-priority incidents may be addressed later or monitored for escalation. The system may also integrate with existing security tools to automate responses, such as isolating compromised systems or deploying countermeasures. The priority list helps security teams focus resources on the most critical threats, improving response times and reducing overall risk. The method ensures that security incidents are handled systematically, minimizing disruptions and enhancing network security.
5. The method of claim 1 further comprising recommending the first and second security alerts of the potential security incident be given investigative priority.
A system and method for prioritizing security alerts in a networked environment. The technology addresses the challenge of efficiently identifying and responding to potential security incidents among a high volume of security alerts generated by various monitoring systems. The method involves analyzing multiple security alerts to determine if they are related to a single potential security incident. This is done by evaluating the alerts for common attributes such as time, source, destination, and type of threat. If a relationship is identified, the alerts are grouped together as part of the same incident. The method further includes recommending that these grouped alerts be given investigative priority, ensuring that security teams focus on the most critical threats first. This prioritization helps reduce response times and improves the overall effectiveness of security operations. The system may also include a user interface for displaying the grouped alerts and their priority status, allowing security analysts to quickly assess and act on potential threats. The approach enhances threat detection and response by correlating disparate alerts and streamlining the investigative process.
6. The method of claim 1 , wherein the strength of the relationship is based on two or more of a type of computer, a network and/or physical location of the first, second, and/or third computer, a physical distance and/or network connectivity between the first, second, and/or third computer, a same application executing on the first, second, and/or third computer, the first, second, and/or third computer performing a same function, a frequency of security alerts between the first, second, and/or third computer, and/or a type of security alert associated with the first, second, and/or third computer.
This invention relates to cybersecurity and network monitoring, specifically to methods for assessing the strength of relationships between computers in a network to detect potential security threats. The problem addressed is the difficulty in identifying malicious or compromised devices by analyzing their interactions with other devices in the network. The method evaluates the relationship strength between multiple computers based on various factors to determine if they are likely part of a coordinated attack or compromised group. The relationship strength is determined using two or more of the following criteria: the type of computer (e.g., server, workstation), network or physical location, physical or network distance between devices, shared applications or functions, frequency of security alerts, and the type of security alerts associated with the devices. For example, if multiple computers are running the same application, performing the same function, or generating similar security alerts, their relationship strength increases, indicating a higher likelihood of coordination or compromise. This analysis helps security systems identify anomalous behavior and potential threats more accurately. The method improves threat detection by considering multiple contextual factors rather than isolated events.
7. The method of claim 1 further comprising: prioritizing a plurality of potential security incidents relative to one another based on the significant relationship, on a number of relationships, and/or on an identification as the security incident; and generating a list of the plurality of potential security incidents ranked based on the priority.
This invention relates to cybersecurity systems that analyze and prioritize potential security incidents. The problem addressed is the challenge of efficiently identifying and ranking security threats in large-scale networks where numerous potential incidents may occur simultaneously. Existing systems often struggle to distinguish between high-risk and low-risk events, leading to inefficient resource allocation and delayed responses. The method involves detecting potential security incidents by analyzing network activity, user behavior, or system logs. It identifies significant relationships between these incidents, such as common attack vectors, shared vulnerabilities, or temporal correlations. The system then prioritizes incidents based on the strength of these relationships, the number of connections between incidents, and whether an incident has been explicitly identified as a confirmed security threat. This prioritization helps security teams focus on the most critical issues first. The ranked list of incidents is generated to guide automated or manual response efforts, ensuring that high-priority threats are addressed promptly. The system may also adjust priorities dynamically as new data is collected or relationships are updated. This approach improves threat detection accuracy and response efficiency in complex network environments.
8. The method of claim 1 wherein identifying the potential security incident based on the significant relationship between the first and second security alerts involves two or more computers of the enterprise.
This invention relates to cybersecurity systems that detect and analyze potential security incidents within an enterprise network. The problem addressed is the challenge of accurately identifying security threats by correlating multiple security alerts generated across different systems, which often operate independently and produce isolated alerts that lack contextual relationships. The method involves analyzing security alerts from multiple sources within an enterprise to determine if there is a significant relationship between them, indicating a potential security incident. The analysis is performed by two or more computers within the enterprise, which collaborate to process and correlate the alerts. The system evaluates the alerts to detect patterns, anomalies, or other indicators that suggest a coordinated attack or breach. By leveraging distributed computing resources, the method improves the accuracy and efficiency of threat detection, reducing false positives and enabling faster response times. The approach ensures that security alerts are not siloed but are instead analyzed in a unified manner, enhancing the overall security posture of the enterprise. The system may also prioritize alerts based on their severity and relevance to known threat patterns, allowing security teams to focus on the most critical incidents. This distributed analysis helps mitigate the limitations of centralized systems, which may struggle with scalability and real-time processing of large volumes of security data.
9. The method of claim 1 wherein one of the first and second security alerts occurs as a result of detection of a known piece of malicious executable code at an entity and another of the first and second security alerts occurs as a result of receipt of the known piece of malicious executable code from another entity.
This invention relates to cybersecurity systems for detecting and responding to malicious executable code within a networked environment. The problem addressed is the need to identify and mitigate threats posed by known malicious executable code, particularly when such code is detected locally or received from external sources. The method involves generating two distinct security alerts based on different detection scenarios. The first alert is triggered when a known piece of malicious executable code is detected at a local entity, such as a device or system within the network. The second alert is generated when the same known malicious executable code is received from another entity, such as an external source or another device within the network. This dual-alert mechanism ensures that threats are identified both when they originate locally and when they are propagated from external sources, enhancing threat detection and response capabilities. The system may also include additional steps, such as analyzing the malicious code, determining its origin, and taking automated or manual actions to neutralize the threat. The approach improves the accuracy and efficiency of threat detection by correlating alerts from different sources, reducing false positives, and enabling faster response times.
10. The method of claim 9 wherein the first security alert occurring as a result of detecting the known piece of malicious executable code and the second security alert occurring as a result of the receipt of the known piece of malicious executable code together result in the potential security incident.
A method for detecting potential security incidents in a computing environment involves analyzing security alerts generated by different detection mechanisms. The method identifies a potential security incident when two specific conditions are met: first, a security alert is triggered by detecting a known piece of malicious executable code within the system, and second, another security alert is generated upon receipt of the same known malicious executable code. The combination of these two alerts indicates a potential security incident, allowing for more accurate threat detection by correlating multiple detection events. This approach helps reduce false positives and improves the reliability of identifying actual security threats by requiring confirmation from multiple sources. The method may be part of a broader security monitoring system that processes and correlates alerts from various security tools to enhance threat detection capabilities. By focusing on known malicious code and its detection at different stages, the system ensures that only verified threats are flagged, improving overall security posture.
11. The method of claim 1 wherein the first security alert alone, which corresponds with a detected known piece of malicious executable code, results in the potential security incident.
A method for detecting potential security incidents in a computing environment involves analyzing security alerts generated by monitoring systems. The method focuses on identifying malicious executable code by evaluating individual security alerts. When a single security alert corresponds to a known piece of malicious executable code, it triggers the classification of the event as a potential security incident. This approach streamlines threat detection by prioritizing alerts that match known malicious signatures, reducing false positives and improving response efficiency. The method may also incorporate additional security alerts or contextual data to enhance accuracy, but the primary trigger is the detection of a known malicious executable. This technique is particularly useful in environments where rapid identification of high-confidence threats is critical, such as enterprise networks or cybersecurity monitoring systems. The method ensures that even a single, highly reliable alert can initiate an incident response, minimizing the risk of undetected threats.
12. A system for analyzing security alerts, comprising: an enterprise graph service, executed by a processor of a server associated with the enterprise, that generates an enterprise graph based on information associated with an enterprise for identifying relationships between computers of the enterprise, wherein the relationship are based on an architecture and function performed in the enterprise; a first computer comprising: a first memory; and a first processor in communication with the first memory, wherein the first processor executes a first security component, wherein the first security component generates a first security alert regarding the enterprise; a second computer comprising: a second memory; and a second processor in communication with the second memory, wherein the second processor executes a second security component, wherein the second security component generates a second security alert regarding the enterprise; a server in communication with the first computer and the second computer, the server comprises: a third memory; and a third processor in communication with the third memory, wherein the third processor: identifies a significant relationship, based on the enterprise graph, between the first security alert and the second security alert, wherein the significant relationship is identified in the enterprise graph and corresponds with at least the first security alert and the second security alert; and executes a kill chain interpreter, wherein the kill chain interpreter: identifies a potential security incident based on the significant relationship between the first security alert and the second security alert and based on a strength of the relationship between the first computer and the second computer; ranks the first security alert, the second security alert, and a third security alert, wherein the third security alert is not associated with the potential security incident; prioritizes the first security alert and the second security alert over the third security alert based on identifying the first security alert and the second security alert with the potential security incident; presents the first and second security alerts of the potential security incident as a chain of events, wherein the first security alert and the second security alert form the chain of events, which is compared to a criteria of attack to determine the security incident, and wherein the relationship helps define the chain of events; and concludes that the potential security incident is an actual attack.
This system analyzes security alerts within an enterprise by identifying relationships between alerts and determining potential security incidents. The system includes an enterprise graph service that generates an enterprise graph based on enterprise architecture and function, mapping relationships between computers. Security components on multiple computers generate security alerts, which are processed by a server. The server identifies significant relationships between alerts using the enterprise graph, correlating alerts based on their connections within the enterprise. A kill chain interpreter evaluates these relationships to detect potential security incidents, ranking alerts based on their relevance to the incident. Alerts linked to a potential incident are prioritized over unrelated alerts. The system presents the alerts as a chain of events, comparing them to attack criteria to confirm the incident as an actual attack. The enterprise graph helps define the sequence of events, improving incident detection and response by contextualizing alerts within the enterprise's operational structure.
13. The system of claim 12 further comprising a list prioritizing the first and second security alerts corresponding with the potential security incident identified by the kill chain interpreter.
A system for cybersecurity threat detection and response prioritizes security alerts based on their relevance to a potential security incident. The system includes a kill chain interpreter that analyzes security alerts to identify and reconstruct a sequence of events indicative of a cybersecurity attack. The interpreter maps these events to stages of a kill chain model, which outlines the typical progression of an attack from initial reconnaissance to data exfiltration. By correlating alerts with these stages, the system determines the likelihood and severity of a security incident. The system further generates a prioritized list of security alerts, ranking them according to their relevance to the identified incident. This prioritization helps security analysts focus on the most critical alerts, improving response efficiency and reducing false positives. The system may also include a user interface for displaying the prioritized alerts and additional context, such as attack stage mappings and recommended actions. The prioritization process may involve machine learning models trained to recognize patterns in historical attack data, enhancing accuracy over time. The system is designed to integrate with existing security tools, such as SIEM (Security Information and Event Management) platforms, to streamline threat detection and response workflows.
14. The system of claim 12 further comprising a recommendation that the first and second security alert of the potential security incident be given priority over the third security alert not associated with any other identified potential security incident.
Security systems monitor networks for potential threats, generating multiple security alerts that may or may not be related. A challenge in such systems is determining which alerts require immediate attention, especially when multiple alerts are generated simultaneously. This can lead to alert fatigue, where security personnel overlook critical threats due to an overwhelming volume of notifications. A system addresses this issue by analyzing security alerts to identify potential security incidents. The system correlates alerts to determine if they are part of the same incident. When multiple alerts are associated with a single incident, the system prioritizes those alerts over others that are not part of any identified incident. For example, if three alerts are detected—two related to a single incident and one unrelated—the system recommends prioritizing the two related alerts over the unrelated one. This ensures that alerts that may indicate a coordinated attack or a significant threat are addressed first, improving response efficiency and reducing the risk of missed critical threats. The system may also include a user interface to display the prioritized alerts, allowing security personnel to focus on the most relevant threats.
15. The system of claim 12 further comprising a list of prioritized potential security incidents.
Technical Summary: This invention relates to cybersecurity systems designed to enhance threat detection and response. The system monitors network activity to identify potential security incidents, such as unauthorized access attempts, malware infections, or data breaches. A key feature is the generation of a prioritized list of potential security incidents, ranking them based on severity, likelihood, or impact to help security teams focus on the most critical threats first. The prioritization may consider factors like the type of incident, affected systems, or historical threat patterns. This system integrates with existing security infrastructure to provide actionable insights, reducing response times and minimizing damage. The prioritized list may be displayed on a dashboard or sent as alerts to security personnel, enabling faster decision-making. The invention aims to improve efficiency in threat management by automating the assessment of incident severity, allowing human analysts to allocate resources more effectively.
16. The system of claim 12 wherein the potential security incident based on the significant relationship between the first security alert and the second security alert involves two or more computers of the enterprise.
This invention relates to cybersecurity systems for detecting and responding to potential security incidents within an enterprise network. The system monitors security alerts generated by multiple computers and analyzes them to identify significant relationships between alerts, which may indicate coordinated or widespread security threats. The system includes a data processing module that receives security alerts from various sources, such as intrusion detection systems, antivirus software, or network monitoring tools. These alerts are analyzed to determine if they share common characteristics, such as similar attack patterns, timestamps, or affected systems, which may suggest a larger security incident. If a significant relationship is detected between two or more alerts, the system generates a consolidated alert indicating a potential security incident involving multiple computers within the enterprise. The system may also prioritize these incidents based on severity, impact, or other factors to facilitate timely response. This approach improves threat detection by correlating isolated alerts into broader security events, reducing false positives and enhancing the enterprise's ability to mitigate risks. The invention is particularly useful in large-scale networks where individual alerts may not immediately reveal the full scope of an attack.
17. The system of claim 12 wherein the first security alert occurs as a result of detection of a known piece of malicious executable code at an entity and the second security alert occurs as a result of receipt of the known piece of malicious executable code from another entity, and the first and second security alerts together result in the potential security incident.
A system for detecting and responding to security incidents involving malicious executable code. The system monitors entities such as computers or networks for signs of compromise. When a known piece of malicious executable code is detected at an entity, a first security alert is generated. Additionally, if the same malicious executable code is received by the entity from another entity, a second security alert is triggered. The combination of these two alerts indicates a potential security incident, allowing for enhanced threat detection and response. The system may correlate these alerts to identify patterns or confirm malicious activity, improving the accuracy of threat assessment. This approach helps distinguish between isolated detections and coordinated attacks, reducing false positives and improving security posture. The system may also integrate with other security tools to automate responses, such as isolating affected systems or blocking malicious traffic. By analyzing the origin and behavior of the malicious code, the system provides actionable insights for mitigating threats. The solution addresses the challenge of detecting and responding to sophisticated cyber threats that may evade traditional security measures.
18. A non-transitory computer-readable storage medium including instructions for analyzing security alerts, which when executed by a processor are operable to execute a method, the method comprising: generating an enterprise graph based on information associated with an enterprise, wherein the enterprise graph identifies relationships between computers of the enterprise, wherein the relationships are based on an architecture and function performed in the enterprise; receiving a first security alert produced by a first security component associated with a first computer of the enterprise; receiving a second security alert produced by a second security component associated with a second computer of the enterprise; based on the enterprise graph, determining a strength of a relationship between the first computer and the second computer; identifying a significant relationship between the first and second security alerts and based on the strength of the relationship between the first computer and the second computer; identifying a potential security incident based on the significant relationship between the first and second security alerts; ranking the first security alert, the second security alert, and a third security alert, wherein the third security alert is not associated with a potential security incident; prioritizing the first security alert and the second security alert over the third security alert based on identifying the first security alert and the second security alert with the potential security incident; presenting the first and second security alerts of the potential security incident as a chain of events, wherein the first security alert and the second security alert form the chain of events, which is compared to a criteria of attack to determine the security incident, and wherein the relationship helps define the chain of events; and concluding that the potential security incident is an actual attack.
The field of cybersecurity involves monitoring and analyzing security alerts to detect and respond to potential threats. A challenge in this domain is efficiently correlating multiple security alerts from different sources to identify coordinated attacks, distinguishing them from isolated incidents. This invention addresses this problem by using an enterprise graph to model relationships between computers in an organization, enabling better alert prioritization and incident detection. The system generates an enterprise graph that maps relationships between computers based on their architecture and functional roles within the organization. When security alerts are received from different computers, the system evaluates the strength of the relationship between the affected systems using the enterprise graph. If a significant relationship is identified, the alerts are correlated to form a chain of events, which is then compared against known attack patterns. Alerts linked to a potential security incident are prioritized over unrelated alerts. The system ranks and presents the alerts as a sequence of events, helping security analysts determine whether the incident is an actual attack. This approach improves threat detection by leveraging contextual relationships between systems, reducing false positives, and enhancing response efficiency.
Unknown
September 8, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.